Click.GiftLoad infection 2

[Cobra Pleeskin]

Hello Ken,
I have to say thanks ... not you!

Here there is the log from ComboFix:


ComboFix 11-05-16.04 - Enrico 17/05/2011 20.09.44.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3326.2486 [GMT 2:00]
Eseguito da: d:\documenti\Download\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\1.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\a.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\b.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\c.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\d.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\e.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\f.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\g.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\h.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\i.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\J.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\k.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\l.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\m.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\mru.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\n.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\o.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\p.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\q.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\r.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\s.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\t.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\u.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\v.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\w.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\x.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\y.xml
c:\documents and settings\Enrico\Dati applicazioni\PriceGong\Data\z.xml
c:\windows\system32\Drivers\wscy.sys
.
.
((((((((((((((((((((((((( Files Creati Da 2011-04-17 al 2011-05-17 )))))))))))))))))))))))))))))))))))
.
.
2011-05-17 13:57 . 2011-05-17 13:57 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\HitPoint Studios
2011-05-16 07:25 . 2011-05-16 07:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-13 20:16 . 2011-05-13 20:16 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\DailyMagic
2011-05-13 09:09 . 2011-05-13 09:09 -------- d-----w- C:\13-05-2011
2011-05-12 22:11 . 2011-05-12 22:11 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Apple Computer
2011-05-12 17:44 . 2011-05-12 17:44 -------- d-----w- c:\programmi\ESET
2011-05-12 17:38 . 2011-05-12 17:38 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Malwarebytes
2011-05-12 17:38 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 17:38 . 2011-05-12 17:38 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2011-05-12 17:38 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-12 16:32 . 2011-05-12 16:32 -------- d-----w- c:\programmi\CCleaner
2011-05-12 16:18 . 2011-05-12 16:18 -------- d-----r- c:\documents and settings\NetworkService\Preferiti
2011-05-12 15:33 . 2011-05-12 15:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-05-12 13:52 . 2011-05-12 13:52 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Maximize Games
2011-05-12 13:52 . 2011-05-12 13:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Maximize Games
2011-05-10 11:01 . 2011-05-10 11:01 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Phantasmat_awem_ce
2011-05-07 11:22 . 2011-05-07 11:22 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Monkey Barrel Games
2011-05-06 06:27 . 2011-05-06 06:27 -------- d-----w- C:\ProgramData
2011-05-06 06:27 . 2011-05-06 06:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Electronic Arts
2011-05-03 16:38 . 2011-05-03 16:38 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Lazy Turtle Games
2011-05-01 19:34 . 2011-05-01 21:00 -------- d-----w- c:\documents and settings\Enrico\Impostazioni locali\Dati applicazioni\il
2011-04-28 19:03 . 2011-04-28 19:03 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Funswitch
2011-04-25 23:46 . 2011-04-25 23:46 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Merscom
2011-04-25 23:46 . 2011-04-25 23:46 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Merscom
2011-04-22 11:25 . 2011-04-22 11:25 -------- d-----w- c:\documents and settings\Enrico\Dati applicazioni\Vogat Interactive
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\programmi\uTorrentBar\tbuTo1.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-28 13:58 3911776 ----a-w- c:\programmi\ConduitEngine\ConduitEngin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-28 13:58 3911776 ----a-w- c:\programmi\uTorrentBar\tbuTo1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\programmi\uTorrentBar\tbuTo1.dll" [2010-12-28 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\programmi\ConduitEngine\ConduitEngin0.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\programmi\uTorrentBar\tbuTo1.dll" [2010-12-28 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EVEREST AutoStart"="d:\programmi\everest\everest.exe" [2009-09-14 2420320]
"msnmsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"feedreader.exe"="d:\programmi\FeedReader30\feedreader.exe" [2009-03-29 2058240]
"uTorrent"="d:\programmi\uTorrent\uTorrent.exe" [2011-03-29 399736]
"Uniblue RegistryBooster 2"="d:\programmi\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2010-11-12 1859864]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"DAEMON Tools Lite"="d:\programmi\DAEMON Tools Lite\DTLite.exe" [2011-01-05 1305408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-09-03 19573352]
"Babylon Client"="d:\programmi\Babylon\Babylon.exe" [2006-08-13 2441281]
"A0380mon"="c:\windows\system32\A0380mon.exe" [2007-03-22 16384]
"DHTray"="c:\windows\system32\DHTray.exe" [2007-06-19 331776]
"ZoneAlarm Client"="d:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
"ISW"="c:\programmi\CheckPoint\ZAForceField\ForceField.exe" [2010-08-27 730600]
"VC9Player"="d:\programmi\Virtual CD v9\System\VC9Play.exe" [2009-04-17 202056]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="d:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\programmi\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Enrico\Menu Avvio\Programmi\Esecuzione automatica\
MagicDisc.lnk - d:\programmi\MagicDisc\MagicDisc.exe [2009-9-22 576000]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Belkin 802.11g Wireless PCI Card Configuration Utility.lnk - d:\programmi\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe [2010-11-18 327765]
Watch.lnk - c:\programmi\Mustek 1200 UB Plus\Driver\WATCH.exe [2010-11-19 364544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="d:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"GrooveMonitor"="d:\programmi\Microsoft Office\Office12\GrooveMonitor.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"d:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"f:\\Programmi\\Bohemia Interactive\\ArmA 2 Operation Arrowhead\\arma2OA.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"d:\\Programmi\\ICQ7.4\\ICQ.exe"=
.
.
R2 gupdate;Servizio di Google Update (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [2010-11-30 136176]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-17 1691480]
R3 gupdatem;Servizio Google Update (gupdatem);c:\programmi\Google\Update\GoogleUpdate.exe [2010-11-30 136176]
R3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2006-09-20 11392]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\DRIVERS\RTLTEAMING.SYS [2009-10-12 29440]
R3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\DRIVERS\RTLVLAN.SYS [2009-02-16 17536]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 420920]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-03-17 218176]
S1 vdrv9000;vdrv9000;c:\windows\system32\DRIVERS\vdrv9000.sys [2009-03-17 113688]
S2 ICQ Service;ICQ Service;c:\programmi\ICQ6Toolbar\ICQ Service.exe [2010-09-06 247096]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\programmi\CheckPoint\ZAForceField\ISWKL.sys [2010-08-27 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\programmi\CheckPoint\ZAForceField\IswSvc.exe [2010-08-27 493032]
S2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt5x.sys [2008-07-09 22016]
S2 VC9SecS;Virtual CD v9 Management Service;d:\programmi\Virtual CD v9\System\VC9SecS.exe [2009-04-17 132424]
S3 A0380VID;USB2.0 PC Camera;c:\windows\system32\DRIVERS\A0380Vid.sys [2007-06-06 3927808]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;d:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 17149]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\programmi\everest\kerneld.wnt [2009-09-05 27248]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*NewlyCreated* - EVERESTDRIVER
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-11-30 23:20]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-11-30 23:20]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyOverride = *.local
IE: &Point&&Go - c:\programmi\File comuni\Expert System\PGPlatform\PGPlatform.htm
IE: E&sporta in Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - d:\programmi\ICQ7.4\ICQ.exe
TCP: {0986B0B7-B29E-4D38-9D30-1A811E5DA726} = 192.168.2.1,8.8.8.8
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Enrico\Dati applicazioni\Mozilla\Firefox\Profiles\2rhpiqrz.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - _blank;
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-17 20:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EverestDriver]
"ImagePath"="\??\d:\programmi\everest\kerneld.wnt"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(984)
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Ora fine scansione: 2011-05-17 20:20:23
ComboFix-quarantined-files.txt 2011-05-17 18:20
.
Pre-Run: 3.872.772.096 byte disponibili
Post-Run: 3.978.276.864 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - CAC0A824D64F09514D9979AC4A79499F

[ken545]

uTorrentBar <--Using File Sharing programs like this is most likely how you got infected, your downloading that file from an unknown source and the greater percentage of them contain malware as malware writers are using File Sharing as one of the latest ways to infect you.


How are things running now ??

[Cobra Pleeskin]

Hello Ken,

I checked again the PC and it seems going well ... and it doesn't load lot of drivers like in the past (looking in task manager) then it seems fast.
Thank you for your precious help.

Have a nice day and again thank you.

[ken545]

Thats nice to hear , glad all is well

Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
  

System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

1. Click Start > Run > copy and paste the following into the run box:
   
   %SystemRoot%\System32\restore\rstrui.exe
2. Press OK. Choose Create a Restore Point then click Next.
3. Name it (something you'll remember) and click Create.
4. When the confirmation screen shows the restore point has been created click Close.

Then remove all previous Restore Points

1. Click Start > Run > copy and paste the following into the run box:
   
   cleanmgr
2. Choose to scan drive C:\ (if C:\ is your main drive).
3. At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
4. Click on the Yes button.
5. When finished, click on Cancel button to exit.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[Cobra Pleeskin]

Hello Ken,

all done now the PC is clean (I hope).
I don't use Windows to deal with sensible details like banks, credit cards and so on, for this I prefer to use Linux on another PC.

Thank you for your patience and your support.

Have a wonderful day

[ken545]

Your very welcome,

Take Care,

Ken

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.